[Colors]
base_color=normal=white,black:
selected=black,green:
marked=brightyellow,black:
markselect=white,cyan:
editnormal=white,black:
editbold=yellow,black:
menu=black,cyan:
menuhot=red,cyan:
menusel=white,blue:
menuhotsel=white,blue:
dnormal=black,cyan:
dfocus=white,blue:
dhotnormal=red,cyan:
dhotfocus=red,blue:
input=white,black:
reverse=black,cyan:
executable=brightred,black:
directory=brightgreen,black:
link=lightgray,black:
device=brightmagenta,black:
special=blue,black:
core=green,black

0-ps-listing.sh

: q! (Enter)
Cntrl-C : : q! (Enter)

Rename /bin/vi to /bin/vi-orig

Make /bin/vi a symlink to the joe executable /usr/bin/joe .

Then, to keep joe happy when it is called by a file of name "vi", create a symlink called "virc" in /etc/joe (was /usr/lib/joe/ ) and point it to joerc in that directory.

yum list > yum-list.txt

rpm -q -p <filename> -l 

From the Win2k machine I used an Ethernet card (the motherboard's Ethernet card was on the LAN) and a normal cable to the modem.  That NIC is set up in Windows to be DHCP - a client, to obtain its IP address from a DHCP server in the network it is connected to.  I left the LAN cable plugged in, but modified the properties of that connection so that there was no default route to the old gair on the LAN (which was connected to the Net via a 56k modem).  This means that when I get this modem going, the Win2K will be able to access the Net via the ADSL service.

The modem has such a DHCP server, at least in its out of the box default configuration.  Then I use a web browser to access http://10.1.1.1, where I find some pages on the modem. 

This Internode service uses "PPP0E LLC".

In the WAN settings page, entered these details, by a method described below:

• PPPoE/PPPoA
• User name: xx@internode.on.net
• Password: yyyyyyyy
• Connection type: PPPoE LLC
• MRU: 1492 bytes
  
• Default Route: Enabled
• ATM VC Setting
• PVC: Pvc0
• VPI: 8
  
• VCI: 35
• Virtual Circuit: Enabled.
  

Plug in Ethernet cable and phone line cable.

Fire up http://10.1.1.1 with user "admin" and password "admin".

In the Home: WAN section, enter the details in red above.

Do not use the Connect button.  Use the Apply button.  The a page comes up where I Save and Reboot the router.

Wait for the browser page to be refreshed.  This can take nearly a minute.

Home: WAN.  It will not be connected yet, but the details are saved in FLASH.  Click the Connect button.  Hmmm - it didn't connect, but at least it didn't clobber the details I just put in.

At this point, the Status LED is flashing.  The ADSL LED is On (though it may fluctuate) and so is the Ethernet LED.

Reboot the Windows machine and turn the router off and on.

Now it simply works.  As long as no other network interface has a default route, it seems that the Windows machine uses DHCP to get an IP address, network address, subnet mask, name servers etc. The address the Win2K machine was given was 10.1.1.2.

I can still use the browser to talk to the router: http://10.1.1.1 with user "admin" and password "admin".

In the DHCP section, I see 10.1.1.2.  There are options there for a "static" DHCP server and for no DHCP server.

On the DNS page there are the two name servers of Internode:  192.231.203.132 and 192.231.203.3.  So the modem must have got these details via PPP from Internode.

This is the usual approach - having the PPP client in the ADSL modem:

http://www.internode.on.net/adsl/faq/using-internode-adsl.htm#faq49

This can support multiple computers by use of an Ethernet switch.  Each gets a local, private, IP address via DHCP and accesses the Net via NAT in the ADSL modem.

The general configuration information at Internode:


states:


Although I don't think this service is ADSL2+, PPPoE has always worked.  There is a detailed tutorial on PPP over Ethernet by David F. Skoll at: http://www.roaringpenguin.com/files/pppoe-slides.pdf .  The DSL-502T was introduced in early 2005 (I think) - the same time as the DSL-504.  Internode has a guide for configuring the DSL-504 here  .  It uses 192.168.0.1 to access the modem/router, whereas mine uses 10.1.1.1.However this Internode guide is for PPPoA, not PPPoE.  For some reason I can't remember, I believe I need PPPoE.

What I finaly did was:

Configure the network card - it needs to be "up" with no IP address or anything else. Do not set the interface to "dhcp", use pump or dhcpcd or anything like that on the interface. A simple "ifconfig eth1 up" should suffice.

Install rp-pppoe. (rp means Roaring Penguin: .

Run adsl-setup.

Run adsl-start.

"As for routing, let the PPP daemon work it all out. When the PPP daemon has negotiated a PPP session, it should set the default route to the be other end of the ADSL connection."

login name: my Internode account name, which looks like an email address:  xxx@internode.on.net

interface eth1

I want this link to stay up permanently, so I enter "no".

Address of ISP's DNS servers: 192.231.203.3 and 192.231.203.132.

I enter my password - this is the CHAP password Internode gave me.

User control: no.

I choose '2' for the Masquerade type of firewall: NAT, so local LAN machines can access the Net via NAT translation in this gateway machine, which will have as its IP address on the LAN: 10.0.0.1.  Other machines on the LAN will have this address as their Default Gateway.

Start the connection at boot time? yes.

/etc/sysconfig/network-scripts/ifcfg-ppp0


/etc/ppp/chap-secrets


/etc/ppp/firewall-masq


/etc/ppp/options

# MADE-BY-RP-PPPOE
nameserver 192.231.203.3
nameserver 192.231.203.132

NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=nair.firstpr.com.au
GATEWAY=10.0.0.1

To give it its new name and make it use 10.0.0.1 as its default gateway, I changed its file /etc/sysconfig/network from:

NETWORKING=yes
FORWARD_IPV4=yes
HOSTNAME=gair
GATEWAY=
GATEWAYDEV=ppp0

to:

I also edited the IP address line in /etc/sysconfig/network-scripts/ifcfg-eth0 and then giving the command /etc/rc.d/init.d/network restart

This did not change this machine's idea of itself as "gair", so I rebooted it. Then it knew its new name.  (Along with loading a new kernel, it seems that changing the hostname is something which really does require a reboot in Linux.  Everything else can be done without a reboot.)

(I probably need to change the hostname specified for localhost in /etc/hosts too.)

Changed the host name nair to gair in /etc/sysconfig/network :

NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=nair.firstpr.com.au

(Where was it configured to use 10.0.0.1 as its gateway -to send packets to when they are not addressed to any machine on the LAN??)

Then I changed its IP address in /etc/sysconfig/network-scripts/ifcfg-eth0 from 10.0.0.2 to 10.0.0.1:

I did not detach hardlinks before saving.

(See below where I change /etc/hosts - I should have done this now.

Then I rebooted this machine, and it came to life as gair on 10.0.0.1.  (This is without the ADSL modem being plugged in.)

Without the Ethernet cable going to the modem, the "Bringing up interface ppp0" takes a minute or so before it fails and the boot procedure continues.

I changed a few things so it could do nfs to the other Linux machine, and the oldgair machine.

I began by listing the contents of the rp-pppoe RPM:


The script which looks for "FIREWALL" is /sbin/adsl-connect:


but both these scripts are not executable at present.  Do they need to be?

I will replace /etc/ppp/firewall-masq with my own modified version and see if it works.

It is vital that the caching namesever functions only be available to servers on the LAN.  When I wrote this page, I didn't think about this.  What I wrote sets named up to be a recursive nameserver which responds to queries from the entire Internet.  This is known as an Open Recursive Nameserver (but for search-engine-bait: "open nameserver").

This means an attacker can use the nameserver as part of a DDoS attack (Distributed Denial of Service).  Let's say the attacker's victim is at 11.22.33.44.  The attacker sends a packet to my nameserver with a spoofed source address of 11.22.33.44.  The request causes my nameserver to send the reply to that address.  

I found this happening, every few seconds, for the one victim address.  The request was for a long TXT answer from a particular domain, operated by the attacker, to make the reply packet nice and long.  The attacker's request packet to my server was short (71 bytes) and my server was sending a reply packet to the victim IP address, consisting of two 1492 byte packets and one of 1165 bytes.  This was happenning every few seconds.  So my nameserver was acting as a 58:1 amplifier of the effort of this attacker.   The burden of packets on the destination IP address would have been immense, assuming many other nameservers such as mine were being used in the same way.

More on this at:


A partial answer is to include the following line in named.conf:


This goes anywhere in the "options { . . . };" section.

It prevents named from properly answering any queries for domains other than the ones it is authoritative for, when the requests originate from outside my LAN.

This was suggested by the  section 5.2.1 of the above-linked report.  The format for the "address_match_list" for bind 9 is at http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html#address_match_lists .

However . . .

. . . the nameserver still responds with a shorter message, including the "hints" file - the list of root nameservers.  So when configured like this, there are less bytes sent to the victim, but still more than the attacker sent, so there is still amplificatation of the attacker's efforts.

The real solution is more complex - and I haven't yet implemented it: "split views", along the lines of:


I am not sure yet whether this would stop the server replying with the hints file.

It is not necessary to run named in a chroot environment if the Red Hat SELinux policy for named is enabled. When enabled, this policy is far more secure than a chroot environment.

With this extra security comes some restrictions: By default, the SELinux policy does not allow named to write any master zone database files. Only the root user may create files in the $ROOTDIR/var/named zone database file directory (the options { "directory" } option), where $ROOTDIR is set in /etc/sysconfig/named.

system-config-bind


I try the GU program's "New" menu item and try adding a new zone: Internet (click OK) Forward (click OK, then enter a dummy zonefile name for now "blah.com." - note the trailing dot) Master (click OK).  The next window has a bunch of stuff which goes in the zone file.  I leave the defaults, but am not sure what to do with the Zone File Path, which is currently "blah.com.db".  It seems this is the name of the file it is going to write.  When I click OK, a new item appears in the list in the main window of the program: "blah.com".  Nothing has been written to /var/named/chroot/var/named/ yet.  But if I click the Save button, then a file is created there: blah.com.db :


Also, this has been added to /var/named/chroot/etc/named.conf :


This looks compatible with the way I specified the zone files in my old /etc/named.conf.  The ".db" in the zonefile name is just a convention and is not needed.

Back at the GUI program, I can select this "blah.com" Internet Forward Zone and add things to it by right-clicking it.  I try adding a second nameserver, the text name of my US machine "sf.firstpr.com.au".  The GUI program stupidly appends "blah.com." to the end of it . . .  I edit it to "sf.firstpr.com.au." and it is happy.  After clicking "Save", the blah.com.db file becomes:


Note the 2 became 3 - this is the serial number or whatever by which named recognises that the file is different from what was there before.

This format for the second authoritative nameserver is a little different from what is in my old zonefiles:


I am trying to figure out to what extent I can copy the old zone files.  I guess I can . . .

I try adding an A (IPv4 address), without using the "Create Reverse Mapping Record".  This is for "www.blah.com." with a caching time of 1 hour 7 minutes and an IP address of 12.34.56.78.  Each time I use Save, there is a backup file is created in the same directory with the same name but with the date and time appended to the name.  These could clutter things up, but they are easily deleted manually.

Now the file is like this:


Hmmm - that one "1 hour 7 minutes" for this one item affected the caching time of the whole zonefile.

I add an MX record.  The default caching time is now "1 hour 7 minutes".  I enter one with priorty 10 "gair.firstpr.com.au.".  Since I used a dot at the end of the name, the GUI program didn't append "blah.com.".  I added another with priority 20 "sf.firstpr.com.au."

I added an A record for "blah.com." = 33.44.55.66 and the resulting file was:


This looks good.  I recall that in bind8 at least, the unnamed IN record for the host name with the same name as the domain must come before the others.  Still, this is not a complete file, if I was doing it for firstpr.com.au instead, since I would need to specify the IP addresses of gair and sf as well.

It is not clear how to use the GUI program to add a subdomain.  In bind8 I did it like this:



Apart from these caching time "1H7M" things, the new file format looks compatible with my old ones.  So I will try copying those zone files to /var/named/chroot/var/named/ and adding the same text as I used before, for each, in /var/named/chroot/etc/named.conf .

First, I want to see how I can use the GUI program to specify an Access Control List so the one IP address which named on the US server uses will be allowed to retrieve updated information for the various zones for which it is a slave.

At the top of the GUI window list is "DNS Server".  By right clicking this (I can start this server with one of these right-click options . . . ) I can add an "Access Control List".  I give the list the name "sf-firstpr" and the IP address 72.36.140.10.  After "Save", the new line in /var/named/chroot/etc/named.conf: is immediately after the first few lines of comments:  (Did it convert "-" to "."?)


I also add "Controls": addresses to listen on: 150.101.162.123 (the IP address of the ADSL service) with port 53, not port "953" as the GUI program presented as the default value.  Clicking OK at the bottom leads to an error message in the xterm I gave the initial command in.  The problem is with DNS.py and is "invalid literal for int(): ort 53".  I try again with 953 and get the same message, but for "rt 953".  So this part of the program is buggy.

So far the results of this system look compatible with my old file fomat, so I abandon this GUI program and copy the old config stuff.

I deleted the "blah.com.db" file and its backups, but this turned out to be incomplete - since system-config-bind would not start after that.  This was fixed by removing the relevant lines in /var/named/chroot/etc/named.conf .

I copy the old zone files to the new directory, remove the blah.com.db file, add lines such as this to /var/named/chroot/etc/named.conf:


My new /var/named/chroot/etc/named.conf file starts with the ACL to allow the US server to access these zonefiles:


At the end, I add references to zonefiles like this:


and start named:


Stop failed, since it wasn't running.  Once I fixed some typos, Start worked fine too.  Problems with it starting are explained in /var/log/messages.

So named is running fine.

(I will tackle Postfix configuration with the SPF later - to help reduce the backscatter messages my system generates.)

The machine is on the Net, with its fixed IP address, nameserver, IMAP server and LAN working, but not yet NAT . . .

Mail filtering should be OK.  I just need to configure Postfix to run as gair, rather than the test machine nair, and start it.

In /etc/postfix/main.cf I add or alter the following items.

This is probably not needed:


Maybe this isn't needed either, but I like to make it explicit.


This is needed, the other domains for which this machine is the primary or seconary mailserver:



The Trust and Relay Control section is really important.  I tell Postfix to trust machines on the LAN.


There is some information on setting up two Postfix machines to be primary and backup mailhosts: http://www.akadia.com/services/postfix_mx_backup.html .  I don't use the transport_maps portion of this.

I understand it has long been standard practice to have at least one backup mailserver for each domain, however I understand that another school of thought is to have only one mailserver, and rely on sending MTAs to hold their messages for a while if the one mailserver is down.  If this occurs, there is no real purpose in having a backup, since no-one plans to have their mailserver down for longer than the week or so (?) that an MTA will try to send the message for.  Spammers often send messages to the backup mailserver, if there is one.

Since all the domains for which these two servers are primary and secondary for are listed in my "mydestination" variable, as just mentioned, all that needs to be in both machine's main.cf files is:

   
This is based on a file which is no longer in the Postfix distribution: /etc/postfix/samples/sample-smptd.cf.  Google can't find such a file on the site http://www.postfix.org but there is a copy at: http://www.paccomp.com/postfix/node28.html   So perhaps this is not the way to do backup mailservers with the current version of Postfix.